The Secret to Secure Data? Supporting Your CISO

Few executive positions are as pressure-packed as the chief information security officer (CISO). In one study, 21% of CISOs said their companies offered no support to help alleviate the stresses of their job. It is no surprise that the same report found that the average tenure for CISOs was just 26 months. 

CISOs are expected to possess the necessary IT background to see where potential security threats exist and the business expertise to know how these threats could impact every line of business. The CISO is often a business translator, bridging the often vast chasm between the C-suite and IT. And when the eventual breach occurs, CISOs are at the center of the blame. 

In short, the role is critical to a company’s success, but the current CISO churn rate does not bode well for any organization’s overall security posture. Therefore, it is essential to identify some of the more significant changes in the evolution of the position and explore ways companies can better support CISOs and reduce turnover in the role.

Why the CISO role is more complex today 

The CISO was a niche position focused only on preventing threats until recently. Today, CISOs must focus on threat prevention while aligning with the company’s business objectives. That’s because data security now touches on almost every aspect of a business. As a result, CISOs spend less (if any) time developing IT innovation and more time strategizing, planning and creating checklists.  

Let’s look at how the CISO role has evolved from a strictly IT position to one requiring deep technical, business and planning acumen.

• • Cloud computing. When data was restricted to an on-premises database and IT infrastructure, data security meant creating a strong perimeter to keep criminals from entering the premise and accessing sensitive data. Employees with work devices had to log on to the company’s VPN to access a subset of data. But as organizations transition to the cloud, that perimeter has largely disappeared. CISOs must now devise strategies to ensure that data is protected—often at the record level—in a manner agnostic to where it is stored or processed.
  • Remote work. The pandemic accelerated the transition to off-site work environments. As a result, CISOs have had to develop security strategies for devices that connect to their own networks—ones that the company has no control of—instead of keeping all connected devices inside the company’s network. Even as many offices reopen to onsite work, companies will continue to require CISOs to maintain strong security postures for on-site and remote work locations. 

• Data movement. A company’s data is no longer in one place. Businesses are analyzing and sharing it. That data holds tremendous value and must be protected based on how companies use and share it. CISOs must consider myriad scenarios and nuances of data collection, storage, and processing (in general, movement through pipelines) to implement protection strategies aligned with business objectives. Further, CISOs must keep up with the ever-expanding options for data extraction from myriad sources and identify a way to protect data using methods that do not interfere with its utility.
• Data privacy laws. Unlike the EU, where the GDPR is a comprehensive baseline for data protection, the U.S. does not have a national privacy referendum. As a result, it is up to individual states to determine their standards for how companies should address data privacy. California, Virginia, Colorado, Connecticut, and Utah are the only states with such laws currently on the books, though other states are in various stages of considering referendums. Because companies often work across multiple states, they must understand the unique legal requirements in each to avoid falling out of compliance and keep a close eye on any other laws that may impact the business.

How companies can support CISOs

Given the increased pressure CISOs are under, organizations give them the financial and talent resources necessary to more easily align security with business needs. 

• IT Budgets. Companies realize that security budgets must keep up with IT budgets to meet evolving needs. CISOs would benefit from organizations’ realizing that the CISO’s budget is not just an insurance payment but an investment to help differentiate the organization and a source of strategic value. This understanding would give the CISO a seat at the table when planning key IT initiatives, rather than making them an afterthought for preventing data exfiltration.
• Training Initiatives. Most security incidents happen due to human errors in configuration or supply chain vulnerabilities that are ignored. Investments in IT and data engineering personnel training—training that enables best security practices and compliance with emerging data privacy regulations—go a long way in making these employees part of the solution the CISO is deploying rather than a hindrance to the business’s ongoing operations.
• Asset Inventory. Key precursors to a defendable security posture include identifying sensitive data assets and accurate risk assignment. Modern tools allow policies of usage and storage to be attached to data records when they are created so that data is protected throughout its lifecycle, from creation to ingestion, storage, and eventually, consumption.
• Audit Authorization. In our fast-paced world of agile business processes, data engineers are rewarded for creating frameworks that rapidly analyze business data to improve market outcomes. This can lead to a “fast and loose” posture that risks exposing sensitive data while accelerating data analytics. CISOs must be empowered to put checks in these frameworks to enable analytics without exposing sensitive data. An example of such measures is privacy-enhancing computation (PEC), a technique that allows data processing without compromising privacy.

CISOs are indispensable as they protect a company’s most valuable non-human asset: data. Because the role has changed in scope and importance in such a short period, reducing CISO turnover is challenging. By addressing the most significant stressors CISOs face, organizations stand to retain the best talent. Having continuity in the CISO position provides stability for comprehensive, long-term data protection strategies and improves the outlook of a company’s cybersecurity and business missions. 

Originally appeared in Forbes.